Hello,
I have a prototype JAX-RS based service running on Tomcat 6 with
Jersey. The client is using the Apache HttpClient library.
Everything is working fine. I have security constraints on certain URLs
and methods (POST) with Basic Authentication.
So as long as I pass the Authentication header with every call,
everything works fine.
Some general questions:
1 - Is it a normal pattern to pass the authentication header over and
over for the same user making multiple calls to service methods? Is
there a way to make it so that this header only needs to be passed once
for a given period of time?
2 - For some of the service methods that don't change data (i.e. GET
based calls), I still need the userid of the user making the call. What
is the best way to pass this? A value in a cookie? If so, should it be
encrypted to prevent cross site scripting attacks?
Just looking for some general guidance for how/when to use the
Authentication headers, cookies, etc.
thanks,
Mike